• Vlad Tsyrklevich's avatar
    vfio/pci: Fix integer overflows, bitmask check · 073e9973
    Vlad Tsyrklevich authored
    [ Upstream commit 05692d70 ]
    
    The VFIO_DEVICE_SET_IRQS ioctl did not sufficiently sanitize
    user-supplied integers, potentially allowing memory corruption. This
    patch adds appropriate integer overflow checks, checks the range bounds
    for VFIO_IRQ_SET_DATA_NONE, and also verifies that only single element
    in the VFIO_IRQ_SET_DATA_TYPE_MASK bitmask is set.
    VFIO_IRQ_SET_ACTION_TYPE_MASK is already correctly checked later in
    vfio_pci_set_irqs_ioctl().
    
    Furthermore, a kzalloc is changed to a kcalloc because the use of a
    kzalloc with an integer multiplication allowed an integer overflow
    condition to be reached without this patch. kcalloc checks for overflow
    and should prevent a similar occurrence.
    Signed-off-by: default avatarVlad Tsyrklevich <vlad@tsyrklevich.net>
    Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
    Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
    073e9973
vfio_pci.c 30.1 KB